Greetings! Please help me to find out if i do something wrong or it is a bug.
If variable has sensitive value for one of the environments(scopes) sometimes it is shown as ***** for others.
Variables on the screenshots below actually have sensitive value only for “production” environment.

image1280×600 101 KB

image1280×420 78.1 KB

Also, you may notice that same-scoped (develop21, develop16) value is shown differently depending on “Environment” input.
This is definitely not a frontend-side issue, cause i have the same results through the API.

Version: 2020.5.1

Hi @anton.smolkov,

Thank you for contacting Octopus Support. I’m sorry that you are running into this issue.

I am going to spin up a test environment and try to get this reproduced.

I’ll let you know what I figure out.

Regards,
Donny

Hi @anton.smolkov,

Thank you for your patience.

I’ve not yet been successful at reproducing this issue. Would you be willing to share a screenshot with some of your variables for this project?

Example:

image1216×661 33.8 KB

I look forward to hearing back from you.

Regards,
Donny

Hi!
Here it is:

image1834×805 109 KB

Hi @anton.smolkov,

Thank you for getting back to me and providing the screenshot.

I’m still unable to reproduce this issue on my end. Would it be possible for you to share a backup of your SQL db for analysis?

Let me know at your earliest convenience.

Regards,
Donny

Hi!
I’ve found a pinpoint and the way to reproduce it. This is kind of funny =)

image1280×443 68.3 KB

image1280×476 77.7 KB

Now i’m not even sure that this is a big problem.
Except that it technically might be used for bruteforcing values of sensitive variables.

Hi Anton,

Thank you for the example.

Unfortunately, I am still not having any luck in reproducing this on my end. I PMed you with instructions on how to upload your SQL db for analysis.

Let me know if you run into any issues.

Regards,
Donny

Hi! Ok, little more explanation:
If you have SENSITIVE variable with content e.g. - “Content1234” and NOT SENSITIVE variable with THE SAME content - “Content1234”, NOT SENSITIVE variable is shown as HIDDEN.

Take a look at screenshots above.

Hi Anton,

Thank you kindly for following up and providing all this great information. I’m jumping in here for Donny over the holiday break.

I’ve been able to reproduce this behavior, where a sensitive and a non-sensitive variable with matching values will also mask the non-sensitive value in the variable preview. This is actually by design, and to try to prevent the value from showing up inadvertently in the logs or preview page, Octopus masks this value outright across the board. To avoid the possibility of bruteforcing these values, we’d suggest the approach of “don’t use passwords that are likely to occur in normal logging/language” (quoting this docs section).

I’m sorry for the confusion this has caused. Please let us know if you have any questions or concerns!

Best regards,

Kenny

I have no more questions. Thank you guys.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.